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ABSTRACT 

We  present  a  new  class  of  distributed  key  generation  arid 
recovery  algorithms  suitable  for  group  communication  sys¬ 
tems  where  the  group  membership  is  either  static  or  slowly 
time-varying ,  and  must  be  tightly  controlled.  The  proposed 
key  generation  approach  allows  entities  which  may  have  only 
partial  trust  in  each  other  to  jointly  generate  a  shared  key 
without  the  aid  of  an  external  third  party.  The  group  collec¬ 
tively  generates  and  maintains  a  dynamic  group  parameter , 
and  the  shared  key  is  generated  using  a  strong,  one-way 
function  of  this  parameter.  This  scheme  also  provides  per¬ 
fect  forward  secrecy.  The  validity  of  key  generation  can  be 
checked  using  verifiable  secret  sharing  techniques.  The  key 
retrieval  method  does  not  require  the  keys  to  be  stored  in 
an  external  retrieval  center.  We  note  that  many  Internet- 
based  applications  may  have  these  requirements.  Fulfillment 
of  these  requirements  is  realized  through  the  use  of  fractional 
keys — a  distributed  technique  recently  developed  to  enhance 
the  security  of  distributed  systems  in  a  non- cryptographic 
manner. 

INTRODUCTION 

Cryptographic  key  generation  and  management  is  an  im¬ 
portant  problem  in  multicast  and  group  communications 
[1-5].  In  many  instances,  it  is  desirable  to  generate  a  group 
shared  key  (SI<)  for  efficient  intra-group  communications. 
However,  having  the  same  SI<  implies  that  the  all  the  group 
membership  is  at  the  same  trust  level.  In  a  distributed, 
multicast  group,  it  is  often  not  possible  nor  desirable  to 
have  the  same  trust  level  throughout  the  group.  One  may 
be  tempted  to  suggest  that  a  single  trust  level  can  be  de¬ 
fined  by  choosing  the  lowest  possible  trust  level  as  the  group 
trust  level.  Though  such  a  straightforward  approach  is  fea¬ 
sible,  one  can  do  better  by  compartmentalizing  the  group 
based  on  local  trust  levels  [5] .  Such  a  compartmentalization 
inevitably  leads  to  clustering  of  a  given  group.  Compart¬ 
mentalization  also  helps  in  having  a  better  control  over  the 

Funded  in  part  by  NSA  under  its  LUCITE  Program  and 
the  U.S.  Army  Research  Laboratory  under  the  Advanced 
Telecommunications/Information  Distribution  Research  Pro¬ 
gram  (ATIRP),  CAN#  DAAL01-96-2-0002. 


set  of  key  management  and  distribution  functionalities  as 
noted  in  [5] . 

While  the  entities  in  each  cluster  may  share  a  common  trust 
level,  it  may  be  that  the  clusters  are  mutually  suspicious 
and  have  only  partial  trust  in  each  other.  Thus,  a  mecha¬ 
nism  is  desired  that  permits  mutually  suspicious  parties  to 
come  together  to  generate  a  shared  key.  In  order  to  avoid 
involving  (and  potentially  paying)  a  third  party,  it  is  also 
desirable  that  the  scheme  involve  only  the  group  members 
and  no  external  parties. 

Schemes  such  as  [2,3,4]  propose  to  replace  the  traditional 
(external)  Key  Distribution  Center  (KDC)  with  a  Group 
Controller  (GC)  which  can  generate  and  distribute  the  keys. 
However,  in  these  approaches,  a  single  member  is  allowed 
to  generate  the  keys.  This  means  that  group  members  must 
place  complete  trust  in  this  group  member.  In  [5],  a  panel 
of  members  are  allowed  to  generate  the  keys.  However, 
[5]  does  not  present  any  explicit  distributed  key  generation 
scheme. 

In  this  paper,  we  present  a  class  of  key  management  schemes 
which  increase  the  security  of  key  generation  and  recovery 
using  non-cryptographic  techniques.  The  schemes  employ 
distributed  algorithms  based  on  Fractional  Keys  (FK).  The 
proposed  methods  allow  the  members  to  automatically  up¬ 
date  the  keys  in  a  periodic  manner  without  any  assistance 
from  an  external  third  party,  and  to  do  so  using  verifiable 
secret  sharing  techniques  [7,8]. 

PROPERTIES  OF  THE  NEW  KEY 
GENERATION  SCHEME 

The  following  notation  is  used  to  describe  the  different  quan¬ 
tities  used  in  the  algorithm: 

ctij:  The  one-time  pad  of  the  ith  member  at  the  jth  key 
update  iteration. 

0y.  The  pad  binding  parameter  at  the  jth  key  update 
iteration. 

{ K j ,  Kf 1 } :  Public  key  pair  of  the  member  i.  This  pair 
is  assumed  to  be  updated  appropriately  to  key  the 
integrity  and  confidentiality  of  any  communication 
transaction  by  and  with  member  i. 
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FKjj:  The  FI<  of  the  jth  member  at  the  jth  key  update 
iteration. 

H FKj  f.  The  hidden  FI<  (HFK)  of  the  itli  member  at  the 
jth  key  update  iteration. 

S Kj :  The  group  SI<  at  the  jth  key  update  instance. 

.4  — »  B  :  X:  Principal  .4  sends  principal  B  a  message  X. 
Our  message  format  is  {{Ti,M,j,Msg}K-i}KR,  where 

•  7):  a  real-valued,  wallclock  time  stamp  nonce 
generated  by  member  i. 

•  M:  denotes  the  mode  of  operation  with  “I”  for 
Initialization  mode,  “G”  for  key  Generation  mode, 
and  “R”  for  key  Recovery  mode. 

•  j:  integer- valued,  denotes  the  current  iteration 
number. 

•  Msg :  the  message  to  be  sent. 

•  Kg1:  Denotes  the  private  key  of  the  sender  S. 

•  Kr:  Public  key  of  the  receiver. 

In  developing  the  new  key  scheme,  we  note  that  the  follow¬ 
ing  properties  are  desirable  for  a  multiparty  key  generation 
scheme: 

•  A  FK  contributed  by  a  participating  member  should 
have  the  same  level  of  security  as  the  group  SK. 

•  A  single  participating  member,  without  valid  permis¬ 
sions,  should  not  be  able  to  obtain  the  FI<  of  another 
member. 

•  If  a  FK-generating  member  has  physically  failed,  been 
compromised  or  removed,  the  remaining  FK-generating 
members  should  be  able  to  jointly  recover  the  FK  of 
the  failed  member  (this  requires  not  majority  voting 
but  total  participation). 

We  note  that  the  first  property  simply  states  that  the  dis¬ 
tributed  key  generation  scheme  has  to  be  such  that  each 
FK  space  has  at  least  the  same  size  as  the  final  SI<  space. 
Hence,  each  member  may  generate  FI<  of  different  size  but, 
when  combined,  they  lead  to  a  fixed  length  SK. 

The  second  property  has  to  do  with  the  need  for  protection 
of  individual  FKs  that  is  desired  due  to  the  absence  of  a 
centralized  key  generation  scheme.  In  the  current  scheme, 
every  member  perform  an  operation  to  hide  its  FI<  such 
that,  when  all  the  hidden  FKs  (HFK)  and  the  group  pa¬ 
rameter  are  combined,  the  net  result  is  a  new  SK.  We  note 
that  even  if  a  HFK  is  known,  the  problem  of  obtaining  the 
actual  FK  or  the  SK  needs  further  computation.  We  will 
describe  the  requirements  of  the  FK  concealment  mecha¬ 
nism  in  the  next  section. 


If  a  contributing  member  physically  fails,  becomes  compro¬ 
mised,  or  has  to  leave  the  multicast  group,  then  it  becomes 
necessary  to  replace  the  existing  member  with  a  new  mem¬ 
ber.  Hence,  the  newly-elected  member  should  be  able  to 
securely  recover  the  FK  generated  by  the  replaced  member. 
However,  to  ensure  the  integrity  of  the  scheme,  this  recov¬ 
ery  should  be  possible  only  if  all  the  remaining  contributing 
members  cooperate.  This  feature  deviates  significantly  from 
the  existing  key  generating  schemes  [2,3,4],  We  note  that 
the  requirement  that  an  individual  member  acting  alone  not 
be  able  to  obtain  the  FKs  of  other  contributing  members  is 
similar  to  protecting  individual  private  keys  in  the  public 
key  crypto  systems. 

DESCRIPTION  OF  THE  MULTIPARTY  KEY 
GENERATION  SCHEME 

The  following  is  a  list  of  assumptions  regarding  the  algo¬ 
rithm,  some  of  which  may  appear  rather  abstract  at  first 
glance: 

•  There  exist  a  commutative  operator  @  which  forms 
an  Abelian  group  when  operating  on  the  set  of  keys. 

•  It  is  computationally  difficult  to  perform  crypto  anal¬ 
ysis  on  a  cryptographically-secure  random  key  by  search 
methods  if  the  key  length  is  sufficiently  large. 

•  The  keys  are  all  L  bits  in  length,  and  all  members 
know  this  length. 

•  The  number  of  participants  in  generating  the  SK  is 
fixed  as  n  (where  n  may  be  a  function  of  @). 

•  There  is  a  mechanism  for  certifying  the  members  par¬ 
ticipating  in  the  key  generation  procedure,  for  se¬ 
curely  exchanging  the  quantities  required  in  the  al¬ 
gorithm  and  for  authenticating  the  source  of  these 
quantities. 

•  Every  member  has  the  capability  to  generate  a 
cryptographically-secure  random  number,  or  a  fresh 
quantity,  of  length  at  least  L  bits. 

With  the  assumptions  above,  we  note  that  the  key  manage¬ 
ment  scheme  consists  of  three  major  parts: 

1.  Initialization — consisting  of  member  selection,  and  se¬ 
cure  initial  pad  and  binding  parameter  generation  and 
distribution; 

2.  Key  Generation — an  iterative  process  consisting  of 
fractional,  hidden  and  shared-kev  generation;  and 

3.  Key  Retrieval — required  only  in  the  case  of  a  member 
node  failure  or  compromise. 
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INITIALIZATION  ALGORITHM 

A  Group  Initiator  (GI)  first  selects  a  set  of  n  FK-generating 
members,  and  the  GI  may  be  one  of  these  members  (how  it 
occurs  is  not  specified  and  is  application-dependent).  The 
GI  then  either  (1)  contacts  a  Security  Manager  (SM) — a 
third  party  who  is  not  a  FK-generating  member — who  gen¬ 
erates  the  initial  pads  and  the  binding  parameter  and  dis¬ 
tributes  them  to  the  members,  or  (2)  initiates  a  distributed 
procedure  among  the  group  members  to  create  these  quan¬ 
tities  without  the  aid  of  a  third  party. 

SECURITY  MANAGER-BASED 
INITIALIZATION 

The  initial  pads  and  binding  parameter  are  distributed  to 
each  member  i,  for  i  =  1 , ,n,  as 

SM  — »  i  :  { { /  s \/ . /.  1 ,  Oj  i  .d|  }K  i  }k{ 

where  n,  i — its  initial  one-time  pad — is  computed  such  that 
a yi  @  0:0,1  @  •  •  •  ®  anji  =  6\. 

DISTRIBUTED  INITIALIZATION 


1.  Generate  two  uniformly-distributed  random  quanti¬ 
ties  7  and  177  of  bit  length  L,  operate  on  these  two 
quantities  as  7@iq,i  =  <5i ,  and  send  the  result  to  mem¬ 
ber  2  (the  “next”  member  in  the  group)  as  1  — »-  2: 

2.  The  following  steps  are  repeated  for  i  =  2, . . , ,  n  —  1: 

(a)  Member  i  generates  a  uniform  random  variable 
1 77  of  bit  length  L. 

(b)  Member  %  then  operates  on  the  quantity  it  re¬ 
ceived  from  member  i  —  1  as  <5,:_i  ®  1 77  =  <5,;. 

(c)  Member  i  then  sends  the  result  to  member  i  +  1 

as  i  y  i  T  1.  {{Tj,  7,  1,  A }  ^  }  /\ ; .  • 

3.  Eventually,  the  group  member  i  =  n  receives  <5„-i 
and  then  generates  a  uniformly-distributed  random 
quantity  17,7  of  bit  length  L,  performs  <)„  1  @  17,7  = 
Sn ,  and  then  securely  sends  it  to  the  initiating  member 
i  —  1  as  n  y  1.  {{Tn,7, 

4.  The  initiator  (member  1)  then  decrypts  it  and  per¬ 
forms  7  ©  Sn  =  6\ ,  and  then  sends  6\  to  each  member 

for  i  =  2, . . .  n,  as 
l^  i:  {{71,7,1,^-!}^. 


Figure  1.  Distributed  initialization  algorithm 


5.  Each  member  i  privately  computes  071  =  6\  @  1/^1, 
and  uses  0*7  as  its  initial  pad. 

We  note  that  these  two  approaches  of  initialization — security 
manager-controlled  and  distributed — are  not  equivalent  un¬ 
less  additional  security  assumptions  are  made.  For  example, 
in  the  case  of  distributed  initialization  within  the  group,  we 
point  out  that  using  following  attack  is  feasible. 

Assume  that  members  i  —  1  and  i  +  1  conspire  to  obtain 
the  secret  of  member  i,  where  the  numerical  ordering  cor¬ 
responds  to  the  order  of  message  passing  in  the  distributed 
algorithm. 

1.  Member  i  —  1  sends  (5,:_i  to  member  i  as  per  the  algo¬ 
rithm,  and  also  to  member  i  + 1  without  i’s  knowledge. 

2.  Member  i,  who  is  unaware  of  the  conspiracy  between 
i  —  1  and  i  +  1,  computes  <5,:  =  <5,;_i  @1/71  and  sends  it 
to  member  i  +  1  securely. 

3.  Member  i  +  1  can  now  compute  177  =  ®  Si  and 

obtain  the  secret  177  of  member  i. 


The  GI  (assumed  to  be  a  member  and  denoted  here  by  the 
index  1  shown  in  Figure  1)  can  perform  the  following  steps 
(as  in  [10])  (l)-(5)  to  generate  the  initial  parameters  of  the 
group: 


However,  the  secret  177  generated  by  member  i  becomes 
part  of  the  pads  (i.e.  the  a’s)  of  members  i  —  1  and  i  +  1. 
Hence,  the  knowledge  of  177  reduces  the  entropy  of  the 
initial  pads  of  the  conspiring  members.  Thus,  while  the 
attack  is  feasible,  there  may  not  be  any  incentive  to  conspire 
in  this  manner. 
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KEY  GENERATION  ALGORITHM 

The  key  generation  algorithm  is  an  iterative  process  de¬ 
picted  in  Figure  2.  Each  iteration  j  requires  as  input  (in¬ 
dicated  as  step  (0)  in  the  figure)  a  set  of  one-time  pads 
atij,  i  =  1  and  the  binding  parameter  9j ,  which 

are  obtained  from  the  initialization  algorithm  for  iteration 
j  =  1,  and  from  the  preceding  iterations  for  j  >  1. 

©FK.  . I 

v  i 


SK.=/<e,.j 


(0)  (1)  (2)  (3)  (5) 

Figure  2.  Iteration  and  mappings  of  the  key  generation 
algorithm 

The  iterative  key  generation  algorithm  consists  of  the  fol¬ 
lowing  steps  (l)-(5): 

1.  For  i  =  1, . . . ,  n,  a  member  i  generates  a 

cryptographically-secure  random  number  FKjj . 


a. . 

'j 

0. 

j 


©a..  ©0. 

FK . - — ►  HFK. . - — 

v  v 


-  iteration  /  - 


•  Although  all  the  members  have  each  HFKjj,  obtain¬ 
ing  the  FKjj  or  ajj+i  of  another  member  involves 
search  in  the  L-dimensional  space,  and  obtaining  their 
correct  combination  involves  search  in  the  (n  —  1  )L- 
dimensional  space.  Hence,  even  if  a  fellow  member 
becomes  an  attacker,  that  rogue  member  faces  nearly 
the  same  computational  burden  in  obtaining  the  set 
of  n  FKs  as  an  outside  crypto  analyst;  i.e.  trust  is  not 
unconditional. 

•  For  such  an  outside  attacker,  breaking  the  system  re¬ 
quires  either  a  search  in  a  L-dimensional  space  to  get 
9,  or  in  an  n.L-dimensional  space  to  break  individual 
secrets  of  all  the  members.  Access  to  all  n  HFKs  is 
alone  is  insufficient  to  permit  an  attacker  to  deter¬ 
mine  the  SI<;  for  that,  the  attacker  must  also  possess 
the  current  binding  parameter  9  which  is  time-varying 
and  never  transmitted.  If  a  SK  is  known  to  be  com¬ 
promised  (perhaps  due  to  traffic  analysis),  due  to  the 
strong  one-way  function  property  of  /(•),  information 
regarding  9  is  not  directly  obtained. 

RETRIEVAL  OF  THE  FRACTIONAL  KEY  AND 
PAD  OF  A  FAILED  NODE 


2.  For  i  =  1  a  member  i  generates  a  quantity 

H FKj  j  =  ctjj  @  FKj  j,  and  all  the  members  securely 
exchange  the  HFKs  as 
VI  <l,m<  n,  l  m, 
l  — ►  m:  {{TuG,j,HFKu}K-i}Km. 

3.  Once  the  exchange  is  complete,  each  member  com¬ 
putes  the  new  group  parameter  Oj+i  as 
9, .  :  =  A 9j  ©  FfFK\  j  ©  HFK2j  @  ■  ■  ■  @  Ft FKnj. 

=>  0j+ 1  =  FI<ij  @  FKoj  ®  ■  ■  ■  FKn  j.  (A  is  a  scale 
factor.) 

4.  If  the  resulting  group  parameter  9j+\  is  cryptographically- 
insecure  for  a  particular  application,  all  members  can 
repeat  steps  (1)  -  (3)  creating  a  new  high  quality  group 
parameter  9 j  \ . 

5.  For  i  =  1, . . . ,  n,  a  member  |  computes  =  9j+ 1  @ 

FKjj ,  and  SKj  =  f(9j+ 1)  where  /(•)  is  a  strong  one¬ 
way  function. 

The  steps  (1)  -  (5)  present  the  computational  steps  for  gen¬ 
erating  the  keys  at  each  update.  At  the  end  of  step  (5),  we 
have  the  SK  for  the  current  iteration.  Note  that  the  quan¬ 
tity  n  j.j  .  i  is  computed  such  that,  for  an  outsider,  obtaining 
a*j+ 1  is  very  hard,  even  if  the  actual  key  SKj  is  compro¬ 
mised  at  any  key  update  time  interval  (j,j  +  1).  Knowing 
the  group  key  does  not  reveal  the  group  parameter  and, 
hence,  the  tight  binding  of  the  members  will  not  be  bro¬ 
ken  by  the  loss  of  the  shared  key.  We  note  the  following 
additional  features  of  the  key  scheme: 


The  following  steps  are  involved  in  recovery  of  the  FKjj 
and  aj  j  of  the  node  failed  *,  where  j  represents  the  iteration 
number  in  which  the  node  was  compromised  or  failed. 

1.  Any  one  FK-generating  member  -  -balled  the  Recov¬ 
ery  Initiator  (RI) — must  initiate  recovery  and  give  the 
HFK  of  the  failed  node  i  to  the  newly-elected  node  i 
as  RI  — »  i  :  {{TRI,R,j,HFKjj}K-i}Ki- 

2.  The  RI  must  also  give  the  newly-elected  node  i  the 
current  SI<  as  RI  — »  f  :  {{TRi,  R,  j,  SKj}K-i  }k{  ■ 

3.  Using  the  same  algorithm  as  is  used  for  distributed 
initialization,  with  the  following  replacements:  (a)  9 
by  £  and  (b)  cjj  by  fiij.  Except  for  the  changes  in 
the  notation  and  the  number  of  members  participat¬ 
ing,  the  algorithm  for  pad  generation  is  same  as  for 
distributed  initialization.  Hence,  at  the  end  of  this 
distributed  pad  generation,  each  member  l  has  flij  as 
its  pad  for  key  recovery  process,  and  all  these  pads 
are  bound  with  the  parameter 

4.  For  l  =  1, . . .  ,n  —  1,  each  node  l  then  computes  a 
modified  hidden  fractional  key  Ft F K/  j  =  fiij  ®FK{j 
and  hands  it  to  the  newly-elected  member  i  as  l  — t 
i  :  {{TjR,j,  HFI<ij}k-i  }Ki. 

5.  Node  i  then  combines  all  of  the  modified  HFKs  and 
recovers  the  fractional  key  FKjj  using  the  operation 
FKjj  =  At,  @  HFK ij  @  •  •  •  @  HFKn-jj  @  9, .  , . 
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6.  Node  i  then  extracts  the  pad  cqj  using  the  operation 
otij  =  HFKjj  ©  FKij. 

We  note  that  the  recovered  values  of  FK^j  and  aqj  are 
unique.  Once  the  new  node  recovers  the  fractional  key  of 
the  compromised  node,  it  can  inform  the  other  contribut¬ 
ing  members  to  update  the  iteration  number  j  to  j  +  1, 
and  then  all  members  can  execute  the  key  generation  algo¬ 
rithm.  Note  that  even  though  the  newly-elected  member 
recovers  the  compromised  fractional  key  and  pad,  the  next 
key  generation  operation  of  the  new  node  does  not  use  the 
compromised  key  or  pad.  Hence,  even  if  the  attacker  pos¬ 
sesses  the  fractional  key  or  pad  at  iteration  j,  it  does  not 
allow  the  attacker  to  obtain  the  future  fractional  keys  or 
pads  without  any  computation. 

A  SPECIFIC  CHOICE  OF  THE  FUNCTION  @ 

We  have  presented  a  class  of  multiparty  key  generation  al¬ 
gorithms  where  a  given  instance  of  the  class  is  determined 
by  choice  of  function  @. 

We  note  that  one  possible  choice  for  ©  is  the  modulo  ad- 
dtion  operation  with  respect  to  a  large  odd  prime  p,  denoted 
here  with  ©.  In  this  case,  we  can  deduce  the  following  com¬ 
putation  from  the  key  generation  algorithm: 

HFIuj  ffi  HFKoj  ®  •  •  •  ©  HFKnj  = 

FK]  j  ©  FK2j  ffi  •  •  •  ©  FKnJ  ffi  (n  -  1)0 j. 

To  remove  the  effect  of  Oj  on  6j+ 1,  we  should  ensure  that 
A  =  (p  ffi  1  —  n)  so  that 

0j+ 1  =  (p  +  1  -  n)0j  ffi  HFK i  j  ffi  HFKFj  ffi  •  •  • 

•  •  •  ffi  HFK,,., 

=  FK]  j  ffi  FK-2.J  ffi  •  •  •  ffi  FKnj. 

Regarding  the  choice  of  the  number  of  members,  clearly, 
the  choice  of  n  =  2  is  not  appropriate  for  such  a  scheme. 
Although  choosing  n  =  3  does  not  instantly  expose  a  secret 
pad  a;  when  a  participating  member  becomes  an  attacker 
(i.e.  a  rogue),  the  following  attack — called  fractional  attack 
(FA) — is  feasible. 

Lemma:  When  ©  is  an  ffi  function,  independent  of  how  non¬ 
trivial  the  bit-length  of  the  key  is,  choosing  n  =  3  permits 
a  FA. 

Proof:  Assume  that  the  time  instant  at  which  one  member 
i  (i  =  1  or  2  or  3)  becomes  a  rogue  is  j.  At  this  time  the 
members  have  values  of  aqj  =  HFK2j  ©  HFK3j ,  a2j  = 
HFK3 jQHFKij,  a3,j  =  FlFKi  jkFHFK-i j-  Every  mem¬ 
ber  also  has  access  to  the  current  Oj+i  and  their  own  FKij 
(l  =  1,  2,  3).  At  this  stage,  obtaining  the  a  component 


of  any  other  member  is  as  computationally  intensive  as  an 
outside  attacker  trying  to  obtain  Oj+i-  However,  if  a  mem¬ 
ber,  sav  i  =  lj. is  compromised  and  releases  its  secret  a\ j, 
then  each  of  the  other  members  can  use  this  and  compute 
FK]  j  =  aijffiflp  Since  the  Oj+i  =  FK1j®FK2j®FK3j, 
each  member  can  now  compute  the  other  non-rogue  mem¬ 
ber’s  FK  as  well. 

This  leads  to  the  following  Corollary:  When  (?)  is  an  ffi 
function,  independent  of  how  non-trivial  the  bit-length  of 
the  key,  the  minimum  number  of  members  to  prevent  a  FA 
by  a  single  rogue  member  for  the  multiparty  key  scheme  is 
4. 

VERIFIABLE  SECRET  SHARING  FOR  KEY 
GENERATION  SCHEME 

Since  there  are  multiple  entities  involved  in  key  generation, 
it  becomes  important  to  have  a  mechanism  to  verify  if  the 
parameters  exchanged  actually  contribute  to  the  generated 
shared  key.  The  verification  steps  have  to  be  followed  at 
(1)  SM-based  group  initialization,  (b)  Distributed  Group 
initialization,  (c)  ^-generation  iteration  and  (d)  key  recov¬ 
ery. 

SM-based  Initialization 

In  the  case  of  the  SM-based  scheme,  each  member  i  needs 
to  make  sure  that  the  SM  uses  non-trivial  values  for  its  aiti 
and  0\.  Since  each  member  needs  to  protect  its  individual 
pad  value,  one  method  for  openly  checking  correctness  of 
the  pads  is  to  generate  a  public  value  that  will  enable  all  the 
key  generating  members  to  check  their  correctness  without 
revealing  the  actual  value  of  the  individual  pads.  Such  a 
verification  technique  falls  under  the  category  of  Verifiable 
Secret  Sharing  (VSS)  [7,  8]. 

If  one  wants  to  check  if  the  individual  initial  pads  a*,i  given 
by  the  security  manager  are  “good” ,  the  scheme  given  below 
can  be  used. 

1.  Any  one  member  (possibly  the  SM)  picks  a  very  large 
prime  number  p  and  sends  it  to  all  the  members.  The 
number  picked  should  larger  than  the  possible  range  of 
the  6  value.  The  same  member  also  sends  a  generator 
g  of  the  multiplicative  group  under  p. 

2.  Each  member  i  picks  a  random  polynomial  /,;  with 
value  0  at  the  origin. 

3.  Each  member  i  adds  the  polynomial  value  to  the  pad 
value,  generates  cq:,i  =  //"’•'  and  sends  the  result 
to  all  the  other  members. 

4.  Each  member  i  computes  g01  =  nj=i  <©:, l  =  g01+^=1 
and  evaluates  it  at  origin  to  check  if  the  value  is  equal 
to  g01 . 
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?  a6' 

5.  Each  member  i  checks  if  qai  l  =  Tlny  c.  ,  ,  where  fail- 

J  1X3=1 9  J'1  ’ 

ure  (inequality)  means  that  some  or  all  of  the  given 
pads  don’t  correspond  to  the  given  6\ . 

We  note  that  it  is  also  possible  to  use  specific  polynomial 
based  techniques  to  allow  members  to  verify  if  the  individ¬ 
ual  pads  are  correctly  distributed  to  the  members. 

Distributed  Initialization 

In  the  case  of  distributed  initialization,  the  following  scheme 
can  be  used  to  check  if  the  GI  gives  the  6  that  is  generated 
from  the  contributions  of  the  group  members. 

1.  Any  one  member  (possibly  the  GI)  picks  a  very  large 
prime  number  p  and  sends  it  to  all  the  members. 
The  number  picked  should  be  larger  than  the  possible 
range  of  the  0  value.  The  same  member  also  sends  a 
generator  g  of  the  multiplicative  group  under  p. 

2.  The  GI  computes  g 7  and  g1'11 ,  and  makes  it  available 
to  all  the  group  members. 

3.  Each  member  i  publishes  g Vi-1  making  it  available  only 
to  the  group  members. 

4.  Each  member  i  checks  if  g01  =  where  fail¬ 

ure  (inequality)  means  that  the  pad  binding  parame¬ 
ter  and  the  individual  pads  do  not  agree.  In  this  case, 
since  every  member  publishes  its  g^*1 ,  it  is  possible 
to  find  exactly  which  member’s  pad  does  not  agree 
without  knowing  the  actual  value  of  the  pad. 

We  note  that  similar  testing  can  be  done  for  the  6  generation 
stage.  We  omit  that  due  to  space  limitation. 

CONCLUSIONS  AND  FUTURE  WORK 

We  presented  a  distributed  key  generation  scheme  that  al¬ 
lows  a  pre-specified  number  of  members  to  jointly  generate 
and  update  a  shared  key.  We  showed  that  it  is  possible  to 
make  use  of  the  distributed  nature  of  the  group — through 
the  use  of  non-cryptographic  techniques — to  securely  gen¬ 
erate  and  distribute  (in  the  sense  of  computational  secu¬ 
rity)  the  future  keys.  This  is  achieved  by  parameterizing 
the  distributed  group  with  a  time-varying  quantity  that  is 
computed  at  each  key  update.  The  parameter  binds  the 
members’  dynamic  one-time  pads  such  that,  without  knowl¬ 
edge  of  this  parameter,  it  is  not  possible  to  generate  a  valid 
one-time  pad  and,  hence,  a  valid  fractional  key.  In  other 
words,  the  members’  fractional  keys  are  mixed  or  hidden 
with  these  time-varying  pads  that  implicitly  depend  on  the 
time-varying  group  parameter.  Hence,  even  if  the  hiddeji 
fractional  keys  are  obtained  by  an  attacker,  in  the  absence 


of  the  time- varying  group  parameter,  the  attacker  does  not 
have  immediate  access  to  the  group  key.  Thus,  this  ap¬ 
proach  increases  group  security  in  a  non-cryptographical 
manner. 

We  also  showed  how  the  group  can  be  initialized  with  or 
without  an  external  entity,  and  still  recover  the  fractional 
keys  of  a  failed  node  without  an  external  entity.  In  develop¬ 
ing  our  methods,  we  were  able  to  provide  some  VSS  features 
to  verify  that  the  group  parameter,  and  the  member  gener¬ 
ated  secrets,  are  indeed  related. 

More  importantly,  the  group  shared  keys  are  generated  us¬ 
ing  a  strong  one-way  function  and,  hence,  the  loss  of  the 
shared  key  at  a  particular  time  interval  compromises  nei¬ 
ther  the  integrity  of  the  future  keys  nor  the  integrity  of  the 
past  keys. 
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